Cyber-Physical Risk

Cyber-physical risk represents one of the most important emerging risk frontiers for industrial organizations. As operational technology, artificial intelligence, automation, robotics, connected equipment, and digital control systems become more deeply embedded in physical operations, cyber risk is no longer limited to data loss, privacy, or business systems disruption. In manufacturing, energy, chemicals, utilities, logistics, and other asset-intensive sectors, a cyber event can now create physical consequences—equipment damage, production interruption, environmental releases, and serious injury or fatality potential.

If a digital system fails, is manipulated, or cannot be trusted, what happens physically—and are we ready?

Discussion of the Topic

This specialty page on LeadingEHS.com is intended to highlight cyber-physical risk as a critical area of focus for modern EHS, safety, operations, cybersecurity, and governance leaders. The central idea is straightforward: when digital systems control physical processes, cyber risk becomes operational risk. That means organizations must move beyond traditional IT-centered cybersecurity thinking and evaluate how cyber threats can affect controls, safeguards, alarms, safety instrumented systems, emergency shutdown capability, process stability, and business continuity.

Much of this work is being developed through my collaboration with Fay Feeney on AIOT—artificial intelligence and operational technology risk. Together, we are exploring how AI is changing both sides of the cyber-physical risk equation: enabling more sophisticated threats while also creating new tools for risk sensing, scenario analysis, anomaly detection, resilience planning, and board-level oversight. Fay brings deep expertise in board governance and enterprise risk, while my perspective is grounded in EHS, process safety, operational risk, and highly automated industrial environments. That combination allows us to connect plant-floor realities with boardroom decision-making.

Learn more about AIOT from Fay and my articles:

Cyber-physical risk is becoming an important emerging field of practice for occupational safety and health professionals as AI, automation, robotics, and operational technology become more deeply integrated into industrial operations. When digital systems control physical processes, cyber events can become safety events, operational disruptions, environmental incidents, and business continuity challenges. This creates a new and important role for OSH professionals: helping organizations understand how cyber threats can translate into physical consequences and ensuring that risk management systems protect people, operations, communities, and long-term enterprise value.

Meeting the Need for Professional Risk Management

Safety professionals already bring essential capabilities to this challenge, including hazard identification, consequence analysis, barrier management, human factors, emergency response, incident investigation, and operational resilience. The purpose of this curriculum is not to turn OSH professionals into cybersecurity engineers. Rather, it is designed to help them become effective contributors to cyber-physical risk management by building the knowledge needed to translate cyber threats into physical outcomes, operational risk, and resilience requirements.

Major elements of study include:

  • Cyber-physical risk fundamentals: understanding how cyber events can affect physical operations, equipment, workers, the environment, and business continuity
  • Operational technology literacy: learning the basics of PLCs, DCS, SCADA, HMIs, SIS, emergency shutdown systems, and connected industrial assets
  • Cybersecurity concepts for OSH professionals: understanding attack vectors, social engineering, remote access, vendor risk, ransomware, segmentation, monitoring, and access control
  • Risk translation skills: converting cyber scenarios into physical outcomes such as loss of control, equipment damage, environmental release, production disruption, or SIF potential
  • Process safety integration: applying PHA, HAZOP, FMEA, LOPA, bowtie analysis, and critical control verification to cyber-physical scenarios
  • Human factors and response readiness: addressing operator decision-making, alarm reliability, degraded digital conditions, emergency shutdown, incident command, and safe restart
  • Business continuity and resilience: ensuring recovery plans restore safe operational control, not just IT systems
  • Governance and board reporting: developing KRIs, AIOT Resilience Index scoring, dashboards, and decision-ready information for executives and directors
  • Capital allocation and legacy risk: helping organizations evaluate OT investments, aging systems, and modernization through the lens of risk reduction and resilience improvement

References and Key Standards for Cyber-Physical Risk

Operational Technology and Industrial Cybersecurity

NIST SP 800-82 Rev. 3 – Guide to Operational Technology (OT) Security
A foundational reference for understanding OT security, including industrial control systems, SCADA, DCS, PLCs, and the unique safety, reliability, and performance requirements of OT environments. NIST describes SP 800-82 Rev. 3 as guidance for improving OT security while addressing OT’s unique performance, reliability, and safety requirements.

ISA/IEC 62443 Series – Industrial Automation and Control Systems Cybersecurity
One of the most important consensus standards for industrial cybersecurity. ISA describes the ISA/IEC 62443 series as defining requirements and processes for implementing and maintaining secure industrial automation and control systems, with a holistic approach that bridges operations and IT as well as process safety and cybersecurity.

NIST Cybersecurity Framework 2.0
A broad cybersecurity risk management framework organized around the core functions of Govern, Identify, Protect, Detect, Respond, and Recover. NIST states that CSF 2.0 can help organizations understand, assess, prioritize, and communicate cybersecurity risks.

CISA Cybersecurity Performance Goals (CPGs)
A practical set of cybersecurity practices intended to help organizations, including critical infrastructure owners and operators, prioritize high-impact security actions. CISA describes the CPGs as voluntary practices aligned to NIST CSF 2.0 and focused on highest-priority baseline cybersecurity actions.

MITRE ATT&CK for Industrial Control Systems (ICS)
A useful knowledge base for understanding adversary tactics and techniques specific to industrial control system environments. MITRE describes ATT&CK for ICS as a matrix of tactics and techniques representing adversary behavior in ICS environments.

AI Governance and AI Risk Management

NIST AI Risk Management Framework (AI RMF 1.0)
A useful reference for organizations integrating AI into industrial operations, predictive analytics, risk sensing, automation, and decision support. NIST describes the AI RMF as a flexible, structured, and measurable process for addressing AI risks while maximizing benefits and reducing negative impacts.

ISO/IEC 42001:2023 – Artificial Intelligence Management System
A management system standard for organizations developing or using AI. ISO describes ISO/IEC 42001 as the world’s first AI management system standard and as a structured way to manage AI risks and opportunities while balancing innovation with governance.

Process Safety, Functional Safety, and OSH Management

OSHA 29 CFR 1910.119 – Process Safety Management of Highly Hazardous Chemicals
A core U.S. regulatory standard for preventing or minimizing catastrophic releases of toxic, reactive, flammable, or explosive chemicals. OSHA states that the standard contains requirements for preventing or minimizing the consequences of catastrophic releases that may create toxic, fire, or explosion hazards.

EPA Risk Management Program (RMP), 40 CFR Part 68
A key U.S. chemical accident prevention regulation. EPA states that the RMP rule implements Clean Air Act Section 112(r) to improve chemical accident prevention and requires covered facilities to develop a Risk Management Plan.

IEC 61511 – Functional Safety: Safety Instrumented Systems for the Process Industry Sector
An essential standard for safety instrumented systems in process industries. IEC states that IEC 61511-1:2016 provides requirements for specification, design, installation, operation, and maintenance of safety instrumented systems so they can achieve or maintain a safe state of the process.

IEC 61508 – Functional Safety of Electrical/Electronic/Programmable Electronic Safety-Related Systems
The broader functional safety framework underlying sector-specific standards such as IEC 61511. It is important where cyber-physical risk intersects with programmable safety-related systems, automation, control logic, and safety integrity.

ISO 45001:2018 – Occupational Health and Safety Management Systems
A global OSH management system standard. ISO describes ISO 45001 as specifying requirements for an OH&S management system and providing a framework for organizations to manage risks and improve OH&S performance.

CCPS Process Safety Publications and Guidelines
The Center for Chemical Process Safety provides widely used process safety guidance. CCPS describes its publications as addressing topics such as incident investigation, hazardous chemicals management, plant security, and preventive maintenance.

Resilience, Business Continuity, and Enterprise Risk

ISO 22301:2019 – Security and Resilience: Business Continuity Management Systems
A useful standard for planning recovery from cyber-physical disruptions. ISO describes ISO 22301 as helping organizations enhance resilience against disruptions, ensure continuity of operations and services, and improve recovery time.

ISO 31000 – Risk Management Guidelines
A broad enterprise risk management framework useful for connecting plant-level cyber-physical risk to ERM, governance, and board-level oversight.

CISA Shields Up Guidance
A practical government resource for heightened cybersecurity readiness. CISA describes Shields Up as guidance to help organizations prepare for, respond to, and mitigate the impact of cyberattacks.

Sector-Specific Regulations and Governance Requirements

SEC Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Rule
Important for public companies because it connects cybersecurity risk to governance and disclosure obligations. The SEC rule requires disclosure of material cybersecurity incidents and enhanced standardized disclosures about cybersecurity risk management, strategy, and governance.

EU NIS2 Directive
Relevant for organizations operating in or connected to EU critical sectors. The European Commission describes NIS2 as establishing a unified legal framework to uphold cybersecurity across 18 critical sectors and requiring national cybersecurity strategies and cross-border cooperation.

NERC Critical Infrastructure Protection (CIP) Standards
Relevant for electric utility and bulk power system organizations. NERC identifies its CIP standards as Critical Infrastructure Protection standards within its reliability standards program.

TSA Pipeline Security Directives
Relevant for hazardous liquid and natural gas pipeline operators and LNG facilities. TSA pipeline security directives address cybersecurity requirements for pipeline owner/operators, including operational technology implications.

Call to Action

These references show that cyber-physical risk sits at the intersection of multiple disciplines: OT cybersecurity, process safety, occupational safety and health, functional safety, business continuity, enterprise risk management, AI governance, and board oversight.

For OSH professionals, the opportunity is to integrate these bodies of knowledge into a practical field of practice focused on one central question: If a digital system fails, is manipulated, or cannot be trusted, what happens physically—and are we ready?